RE: Managed Security Metrics

["Crumrine, Gary L" <CrumrineGL () state gov>]

I think one of the biggest things a potential customer has to do is be
realistic in their expectations.  Consider what the underlying reason is
that is leading them to outsource.  Some of the reasons that make sense are
not possessing the required staff, unable to afford the up front costs to do
it yourself etc.  

A good rule of thumb I would suggest is to not expect much more from a
provider than what you are willing or able to do yourself.  Now there is
going to be a higher expectation of competency surely, but think about it.
For you to build in full redundancy, 24x7 monitoring, 0 downtime, CERT
reaction teams etc... it all represents a large investment for anyone to
fully implement.  Whether that be the customer, or the outsourced provider.
You can't expect to get full house capability on a beer budget... neither
can you expect the same requirements from the outsource provider if you are
not willing or able to pay for the added services.

Do I think it reasonable to expect them to maintain their equipment, patches
etc... certainly.  Do I expect a reasonable response time in solving
problems... sure.  But customers must also realize they are not the only
customers that the provider has to support.  That is why most providers will
package their offerings at different levels of service with various price
points to match.

It is all about providing reasonable and affordable service levels at prices
that match your enterprise needs.  You want direct access to support, it
will cost you... If you can afford to wait in the queue, then step your
support level down a notch or two.

Lastly, I have seen people suggest that they expect to never be
breached/hacked whatever.  Think about that... there is no system without
vulnerabilities that cannot be exploited over time.  The most you can
realistically expect is that the provider act in a professional manner,
maintain their equipment/software and is capable to reacting to crisis
situations in a reasonable amount of time.  

Exactly what you would expect from your staff if you kept the service in
house. 

> -----Original Message-----
> From: Adam Shostack [SMTP:adam () homeport org]
> Sent: Monday, March 05, 2001 6:01 PM
> To:   Mike Smith
> Cc:   firewall-wizards () nfr com
> Subject:      Re: [fw-wiz] Managed Security Metrics
>
> I think that theres a lot of process issues which are not easily
> quantified.  For example, I want to know that an account will be shut
> off within 5 minutes of a lost token report, but more than that I want 
> them to go through a list of accounts quarterly to ensure that there
> is a known, employed user using the account.
>
> I'd like to see log monitoring, a guaranteed response time to
> certain classes of events eg, any user not on a shortlist becoming
> root leads to a phone call that connects with my escalation tree
> inside of 15 minutes.
>
> Perhaps you can make the question more specific: What are you trying
> to protect?  What is the service selling you?  Is it "firewall and in, 
> end-to-end security?"  Is it firewall log monitoring?
>
> Adam
>
>
> On Mon, Mar 05, 2001 at 01:37:10PM -0500, Mike Smith wrote:
> | So I'm back to asking, what are suitable, measurable criteria for
> judging
> | the quality of my security service provider's performance?
> | 
> | Mike Smith
>
> -- 
> "It is seldom that liberty of any kind is lost all at once."
>                                                      -Hume
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards